Coronanormal cloud architecture

Over the last several years, a lot of big brains have been working on the problem of what “secure cloud” should actually mean. And they’ve spent a lot of time producing a lot of documentation—and a lot of big, complex diagrams that attempt to address every possible aspect of the cloud and how to make it “secure.”

Unfortunately, an older XKCD cartoon aptly describes the result:

Panel 1: There are 10 competing standards

Panel 2: We should figure out how to unify them all. Great idea!

Panel 3: There are 11 competing standards

And, as anyone who’s been around for a while knows, this is the general way our industry solves problems. I’ve done it. You’ve probably done it, and the majority of vendors out there have certainly done it.

However, if what the last 7-14 days (depending on where you are) has shown me, we might be faced with what we’ve seen as a new “coronanormal” environment where we’re all desperately trying to avoid killing each other, video-bombing our partners and kids’ video conference calls, and seriously wishing we’d opted for that large property in the countryside where we could all stretch our legs when we needed it.

Like everything, there’s good and bad in all this. While all of these current woes are both taxing our patience and our Internet infrastructure, without those cloud services a lot more of us are using a lot more often, things would’ve simply ground to a halt.

So, I’m going to hazard a guess that as more travel lockdowns take place…and more countries close their airspace like the UAE did today…if business still wants to get done, a lot more decisions about in-house vs. cloud services are going to get revisited.

And when that happens…it’s going to be even more critical than it was before that we somehow get our collective crapola together when it comes to not only talking about “the could” as this mythical entity hanging in the ether…

…but also as and how we truly make it an extension of our enterprise—and that means as part of our security policies too.

In a lot of the work I’ve done over the last few years, pretty-much every one of our clients and customers has a pet reference architecture for cloud. And most of those architectures have evolved quite dramatically over that same period as the sheer number of products have multiplied and made it possible to do more and more – and sometimes with more (or less) control – in someone else’s datacenter.

But from what I’ve seen, people still have one of two major problems:

they still focus too much on the technology vs. what’s actually being delivered, and/or

they get overwhelmed with the overall complexity of the existing, published cloud reference architectures when they try and put them to practical use.

To address this, I decided that the entirety of the upcoming April edition of our print newsletter, Security Sanity™ would talk about how to find the right balance between the technology and the business-enabling functionality of various cloud offerings and try to illustrate how to untangle some of the complexity behind popular cloud models from CSA, Microsoft and NIST that I’ve seen come up the most in our client work.

The objective of the April issue is to help you better integrate your cloud solutions and approach into your existing enterprise security program so you can more easily demonstrate where you’re doing the right thing. Once you’ve done that, you’ll then be able to use that same information to drive any necessary changes in both your enterprise security approach or your existing cloud provider agreements.

But you’ll only get the April issue delivered to your door* assuming that you’ve ensured you’re subscribed by the end of the month, next Tuesday at 11:59pm US/Eastern. In the event that you’re sitting on the fence and the $97 subscription charge isn’t processed before that time, your subscription will start with the May issue, and you’ll have missed out on April’s Cloud Security Bonanza.

If you’re completely happy with your approach to integrating cloud security into your existing policies, your enterprise security program and feel you’re free of DevOps silos, then you can probably give this one a miss. As always, it’s up to you to decide what’s important and how you grow your skills as a security leader—with or without COVID-19.

Stay safe,

ast
—
Andrew S. Townley
Archistry Chief Executive

* If the global supply chain for postal and courier deliveries does somehow grind to a halt during all this craziness, rest assured, I’ll make a plan where you won’t miss the issue as a result.

EMAIL NEWSLETTER

Want to get DAILY email tips on how to build a more effective security program so you can prove your security investments deliver value to the business?

Your nameYour best email

I understand and agree that when I sign up above, I will be added to a marketing mailing list where I will receive DAILY security leadership tips and promotional offers from Andrew S. Townley according to the terms of Archistry's privacy policy and site terms and conditions.

You can always unsubscribe at any time, and we won't sell your data to third parties.

About Us

Archistry works with you to ensure what you want to achieve actually gets done, linking strategy, risk, governance and compliance to enable sustained exceptional performance Read More…

Testimonials

Andrew is a highly skilled and experienced information systems
architect and consultant, which in my view is a rare thing. He is
innovative in his thinking and merits the title of 'thought
leader' in his specialist domains of knowledge—in particular the
management of risk. Andrew has embraced SABSA as a framework and,
in doing so, has been a significant contributor to extending the
SABSA body of knowledge."

— John Sherwood, Chief SABSA Architect

"Fabulous person to work with. Very engaging and insightful. Extremely
good technical knowledge with ability to relate concepts together and
overcome differing opinions. Makes things work."

"Andrew was able to bring clarity and great depth of knowledge to the
table. His breadth of thinking and understanding of the business
and technical issues along with a clear and effective
communication style were of great benefit in moving the process
forward towards a successful conclusion."

— Doug Reynolds, Product Manager, MobileAware

"Andrew is a fabulous consultant and presenter that you simply
enjoy listening to, as he manages to develop highly sophisticated
subjects in very understandable way. His experience is actually
surprising and his thoughts leave you without considerable
arguments for any doubts in the subjects he covers."